Manage role groups

Applies to: Exchange Server 2013, Exchange Online

Topic Last Modified: 2012-10-08

This topic shows you how to add, remove, copy, and view management role groups in Microsoft Exchange Server 2013. It also shows you how to add, remove, and list management roles on role groups and how to change management scopes and delegates on role groups. For more information about role groups in Exchange 2013, see Understanding management role groups.

For additional management tasks related to role groups, see Permissions.

If you have a role group that contains the permissions you want to grant to users, but you want to apply a different management scope, or remove or add one or two management roles without having to add all the other roles manually, you can copy the existing role group.

Important:

You can't use the EAC to copy a role group if you've used the Exchange Management Shell to configure multiple management role scopes or exclusive scopes on the role group. If you've configured multiple scopes or exclusive scopes on the role group, you must use the Shell procedures later in this topic to copy the role group. For more information about management role scopes, see Understanding management role scopes.

In the EAC, navigate to Permissions > Admin Roles.

Select the role group you want to copy and then click Copy .

In the New role group window, provide a name for the new role group.

Review the roles that have been copied to the new role group. Add or remove roles as necessary.

Review the write scope, and change it as necessary.

Review the members that have been copied to the new role group. Add or remove members as necessary.

For example, the following commands copy the Organization Management role group, and name the new role group "Limited Organization Management". It adds the members Isabelle, Carter, and Lukas and can be delegated by Jenny and Katie.

For example, the following commands copy the Organization Management role group and create a new role group called Vancouver Organization Management with the Vancouver Users recipient scope and Vancouver Servers configuration scope.

For example, the following commands copy the Recipient Management role group and create a new role group called Toronto Recipient Management that allows management of only users in the Toronto Users OU.

If you no longer need a role group you created, you can remove it. When you remove a role group, the management role assignments between the role group and the management roles are deleted. The management roles aren't deleted. If a user depended on the role group for access to a feature, the user will no longer have access to the feature. You can't remove built-in role groups.

Adding a management role to a role group is the best and simplest way to grant permissions to a group of administrators or specialist users. If you want to give users that are members of a role group the ability to manage a feature, you add the management role that manages the feature to the role group. After the role is added, the members of the role group are granted the permissions provided by the role.

You can't use the EAC to add roles to a role group if you've used the Shell to configure multiple management role scopes or exclusive scopes on the role group. If you've configured multiple scopes or exclusive scopes on the role group, you must use the Shell procedures later in this topic to add roles to the role group. For more information about management role scopes, see Understanding management role scopes.

In the EAC, navigate to Permissions > Admin Roles.

Select the role group you want to add a role to, and then click Edit .

In the Roles section, select the roles you want to add to the role group.

If a predefined scope meets your business requirements, you can apply that scope to the role assignment rather than create a new one. For a list of predefined scopes and their descriptions, see Understanding management role scopes.

If you created a server or database configuration filter or list-based scope, you need to include the scope in the command used to assign the role to a role group by using the CustomConfigWriteScope parameter.

You can also include a recipient write scope when you create a role assignment that has a configuration write scope.

For more information about role assignments and management scopes, see the following topics:

Removing a role from a management role group is the best and simplest way to revoke permissions granted to a group of administrators or specialist users. If you don't want administrators or specialist users to have permissions to manage a feature, you remove the management role from the management role group that manages the permissions. After the role is removed, the members of the role group will no longer have permissions to manage the feature.

Note:

Some role groups, such as the Organization Management role group, restrict what roles can be removed from a role group. For more information, see Understanding management role groups.
If an administrator is a member of another role group that contains management roles that grants permissions to manage the feature, you need to either remove the administrator from the other role groups, or remove the role that grants permissions to manage the feature from the other role groups.

You can't use the EAC to remove roles from a role group if you've used the Shell to configure multiple scopes or exclusive scopes on the role group. If you've configured multiple scopes or exclusive scopes on the role group, you must use the Shell procedures later in this topic to remove roles from the role group. For more information about management role scopes, see Understanding management role scopes.

In the EAC, navigate to Permissions > Admin Roles.

Select the role group you want to remove a role from, and then click Edit .

In the Roles section, select the roles you want to remove from the role group.

You can remove roles from role groups by retrieving the associated management role assignment using the Get-ManagementRoleAssignment cmdlet and then piping the role assignment returned to the Remove-ManagementRoleAssignment cmdlet. Unless you want to remove both delegating and regular role assignments at the same time, specify the Delegating parameter to specify whether you want to remove regular or delegating role assignments.

This example removes the Distribution Groups role, which enables administrators to manage distribution groups, from the Seattle Recipient Administrators role group. Because we want to remove the role assignment that provides permissions to manage distribution groups, the Delegating parameter is set to $False, which returns only regular role assignments.

The management role assignments between a role group and a role contain management scopes, which determine what objects are made available to members of that role group. By changing the write scope on a role group, you can change what objects are made available to role group members to create, change, or remove. You can't change the read scope on a role group.

Exchange 2013 includes scopes that are applied by default to role assignments when no custom scopes are created. If you want to use a custom scope with a role assignment on a role group, you must create one first. For more information about creating custom scopes, which is an advanced task, see Create a regular or exclusive scope.

For more information about management role scopes and assignments in Exchange 2013, see the following topics:

When you use the EAC to change the scope on a role group, you're actually changing the scope on all the role assignments between the role group and each of the management roles assigned to the role group. If you want to change the scope on specific role assignments, you must use the Shell procedures later in this topic.

Important:

You can't use the EAC to manage scopes on role assignments between roles and a role group if you've used the Shell to configure multiple scopes or exclusive scopes on those role assignments. If you've configured multiple scopes or exclusive scopes on those role assignments, you must use the Shell procedures later in this topic to manage scopes. For more information about management role scopes, see Understanding management role scopes.

In the EAC, navigate to Permissions > Admin Roles.

Select the role group you want to change the scope on, and then click Edit .

Select one of the two following Write scope options:

A write scope from the drop-down box, where you can select either the default write scope or a custom write scope.

Organizational unit Select this option and provide an organizational unit (OU) if you want to scope this role group to an OU.

Role assignments between the role group and the roles assigned to it can use the implicit scope obtained from the roles themselves, the same custom scope, or different custom scopes. For more information about role assignments, see Understanding management role assignments.

The scopes on the role assignments are managed using the Set-ManagementRoleAssignment cmdlet. You can't manage scopes using the Set-RoleGroup cmdlet.

To change the scope of all the role assignments between a role group and a set of management roles at the same time, you need to first retrieve the role assignments on the role group, and then set the new scope on each of the assignments. You can do this by using the Get-ManagementRoleAssignment cmdlet to retrieve the role assignments, and then pipe them to the Set-ManagementRoleAssignment cmdlet.

This procedure uses the concepts of pipelining and the WhatIf switch. For more information, see the following topics:

You use only the parameters you need to configure the scope you want to use. For example, if you want to change the recipient scope for all role assignments on the Sales Recipient Management role group to Direct Sales Employees, use the following command.

You can use the WhatIf switch to verify that only the role assignments you want to change are changed. Run the preceding command with the WhatIf switch to verify the results, and then remove the WhatIf switch to apply the changes.

Role assignments between the role group and the roles assigned to it can use the implicit scope obtained from the roles themselves, the same custom scope, or different custom scopes. For more information about role assignments, see Understanding management role assignments.

The scopes on the role assignments are managed using the Set-ManagementRoleAssignment cmdlet. You can't manage scopes using the Set-RoleGroup cmdlet.

This procedure uses the concepts of pipelining and the Format-List cmdlet. For more information, see the following topics:

To change the scope on a role assignment between a role group and a management role, you first find the name of the role assignment, and then set the scope on the role assignment.

To find the names of all the role assignments on a role group, use the following command. By piping the management role assignments to the Format-List cmdlet, you can view the full name of the assignment.

You use only the parameters you need to configure the scope you want to use. For example, if you want to change the recipient scope for the Mail Recipients_Sales Recipient Management role assignment to All Sales Employees, use the following command.

Role group delegates are users or universal security groups (USGs) that can add or remove members from a role group or change the properties of a role group. By adding or removing role group delegates, you can control who is allowed to manage a role group.

Important:

After you add a delegate to a role group, the role group can only be managed by the delegates on the role group, or by users who are assigned, either directly or indirectly, the Role Management management role.
If a user is assigned, either directly or indirectly, the Role Management role and isn't added as a delegate of the role group, the user must use the BypassSecurityGroupManagerCheck switch on the Add-RoleGroupMember, Remove-RoleGroupMember, Update-RoleGroupMember, and Set-RoleGroup cmdlets to manage a role group.

To change the list of delegates on a role group, you use the ManagedBy parameter on the Set-RoleGroup cmdlet. The ManagedBy parameter overwrites the entire delegate list on the role group. If you want to add delegates to the role group rather than replace the entire list of delegates, use the following steps:

To change the list of delegates on a role group, you use the ManagedBy parameter on the Set-RoleGroup cmdlet. The ManagedBy parameter overwrites the entire delegate list on the role group. If you want to remove delegates from the role group rather than replace the entire list of delegates, use the following steps: